InfoSec Handlers Diary Blog

Ian wrote in the following: "Would it perhaps be a useful thing to put a note in the ISC diary as a reminder for people to make sure that their 'abuse@domain' addresses are actually working? I've lost count of the number of full mailboxes, broken redirects &c I see."

According to RFC 2142 organizations that accept email are supposed to have an abuse@domain and security@domain address that work. The reasons are quite simple, if someone outside your organization notices something they will need to get in touch and let you know. Recent examples include conficker and other pieces of malware where you may have infected systems and a good samaritan would like to have you clean them up. Email is one of the simpler and faster methods of doing so. If you don't have one, the malbox is full, it bounces, or is not monitored, you miss out on the chance to be advised that somethig bad is up.

On the flip side, these addresses can also quickly swamp helpdesks or whomever is supposed to be following up. They also tend to attract spam. If you receive a sufficient quantity of email to abuse@ it is likely recommended to have an automated process to weed through the flood. Although this introduces the risk that important email could be ignored.

As an infosec professional, you rarely have the formal power to simply issue a "Make it so!" mandate to launch a project, introduce significant change, or influence behavior of co-workers. Those of us classified as "middle managers" or "individual contributors" are often requested to advise, implement, control, and oversee without direct control over the people who use the data or manage the IT infrastructure. Even Chief Information Security Officers (CISOs) often do not have the staff or the budget to launch significant initiatives without strong support of executive managers and other co-workers.

And yet, you probably have ideas for strengthening network defenses, are concerned about risk exposure to some business areas, and need to implement projects to meet your annual objectives. How do you garner the support of colleagues who are difficult to reach? How do you get your message heard? Here are my 10 tips:

Have a message that's worth being heard. Don't lose credibility with half-formed ideas. Also, sometimes it's good to speak off the cuff, but being prepared usually makes a huge difference. Consider your thoughts from all perspectives and anticipate possible objections. Ask your friends to critique all aspects of your proposal.

Consider concerns and language of the recipient.As Seth Godin put it, we don't like receiving e-mail. We want me-mail! How is your request relevant to the person you're trying to reach? Craft your message using the language of that person. Don't assume that terminology that's second nature to you (SecurID, WEP, DDoS, etc.) is known to him. If communicating with managers or business folks, learn their language (SWOT, CapEx, SaaS, etc.).

Speak up! But don't be too loud. If you're introverted by nature, or if you speak in an understated tone, make an effort to speak more loudly, directly, clearly. At the same time, don't become the person who yells "Fire!" every time there's a whiff of smoke--the audience can quickly learn to ignore screaming. In contrast, if you're usually loud, try speaking softly--in some situations, such as presentations, that gets people to pay closer attention.

Understand when to say it. If sending email, use tools such as Xobni to determine the hour when the recepient is most likely to answer messages. If submitting printed documents is getting you nowhere, catch the person on the way for a cup of coffee. Is he a morning person? What's his mood today? The when of the message matters as much as the what.

Switch the medium. You've tried instant messenger, you've tried email, and another email, and another. Use the phone. Or a paper letter. Or, stop by the colleague's office in person (bring a snack to share or good coffee).

Don't overwhelm with choices. People can be paralyzed into inaction when offered too many choices. If weighing several courses of action, list a few choices, identify the pros and cons of each, and leave the remaining options for an appendix, available upon request.

Be brief. No one has time to read long emails. Practice on Twitter to create a succinct message that gets to the point quickly. For more inspiration, see three.sentenc.es.

Follow up. The recipient probably receives a message per minute, and very possibly yours got lost. Follow up, if you believe your message is important. (You still need to be tactful, of course.) When following up, consider repeating the gist of your message using different words.

Find an ally. If you have a hard to reaching or convincing the ultimate recipient directly, find someone more accessible to you who would speak on your behalf or support your case. Whom you know really can make a difference.

Give first, without expecting to receive. If asking for a favor, the person may think (sometimes unconsciously), "What have you done for me lately?" If you are known for helping others, your colleagues will be more predisposed to help you. This is often a problem for security people who've developed a reputation for being Dr. No! (as in "No, you cannot have that firewall port opened!").

If this perspective resonates with you, here are additional thoughts on the non-technical aspects of information security: